Exploit mitigation technologies have made reliable heap exploitation increasingly difficult since the inception of the 4-byte over write, over ten years ago. At the same time, applications needed to become more stable without using absurd amounts of memory (Who doesn’t keep their web browser with multiple tabs open for days?). Heap memory management has matured over time, but with complex new code comes new opportunity for exploitation. This presentation will focus on understanding the Low Fragmentation heap on Windows 7 (32-bit). After a foundation of integral concepts is laid, new exploitation techniques will be thoroughly discussed. Finally, we will use this new found knowledge to leverage supposed non-exploitable vulnerabilities. Specifically we will cover a case study showing how to craft an exploit for the IIS FTP 7.5 denial of service (http://blogs.technet.com/b/srd/archive/2010/12/22/assessing-an-iis-ftp-7-5-unauthenticated-denial-of-service-vulnerability.aspx), resulting in full control of EIP. We hope to see you there!
http://illmatics.com/FTPOwned.PNG

64-bit operating systems are now the norm for new PCs, and understanding how x64 code works is essential to reverse engineering code that runs on modern platforms. Before you can effectively analyze the latest 64 bit malware samples or start writing exploits for native 64 bit applications, you need to know some of the key differences between 32 and 64 bit code. x64 doesn’t just mean the CPU registers are bigger and start with the letter ‘r’ - the calling convention and stack frame layout are totally different, and understanding disassembled x64 code can be confusing if you don’t know what’s going on. This presentation will cover both the Microsoft x64 application binary interface (ABI) that’s used on Windows, as well as the System V x64 ABI used on Linux, BSD, and Mac. Since many reversing tools and frameworks only work on 32 bit code, I’ll talk about the ones that support x64. If you can make it through this talk without falling asleep, you’ll have no problem tackling your next x64 reversing project.

This talk will be an introduction to doing "hardware stuff" stuff, for people accustomed to plying their trade against software. I will discuss how to build tools (and use existing tools) to sniff/spy on a variety of hardware communications channels from UART Serial (the kind in your computer) to the *very* ubiquitous SPI/I2C serial busses used in virtual everything (from EEPROM in your portable DVD player to the HDMI/VGA cables between your computer and monitor). I will demonstrate how these simple hardware taps can be used to begin reverse engineering, spoofing, and fuzzing in places where (as a software person) you might not have previously felt comfortable. I will be bringing along a number of custom hardware and software tools (used specifically for these purposes) as well as a mock lab environment for demonstrations. Other than these practical skills, I am new to this "hardware stuff" so please don't expect a "embedded-JTag-SCADA-mobile" buzzword soliloquy. I'll just be sharing some stories and showing some neat hardware and software I've recently found useful.

In this talk, Raid will cover functionality and show examples using vtrace, a scriptable debugging framework, in addition to dropping random 0day, and rapping, while maintaining a BAC above 0.25.

In an earlier talk I wrote about making reverse engineers life hell. I did this via messing with assembly, but during the talk I created a basic Intermediate Representation to represent what's going on inside of the application. This talk will go into the makings of a basic and ghetto IL with vtrace. It will go into a little bit of detaiils of some of the features of vtrace, as well some design decisions and hardships I learned along the way.

In this talk, Jon and Dan will be hating on Linux kernel security, giving an overview of the highlights and lowlights of Linux kernel security last year and presenting some sexy new techniques to bypass popular kernel protection mechanisms.

Smartphones are a hot new market for software developers. Millions of potential customers, and a large percentage willing to part with a small sum of money for your latest creation. Even a moderately successful app can help fill your pockets. It's hard to ignore for legitimate developers. It's even harder to ignore for criminals. Things have changed from the old days of malware creation. It's no longer just about proving yourself or testing a new platform by writing proof-of-concepts(PoCs), porting old malware, and learning the idiosyncrasies of the development tools. Now it's about evading detection and taking a profit. Where there's money, crime usually follows. The presentation is not about attribution, naming names or pointing out the parties responsible. It's about the underlying technology and the methods used, including:
- how actual examples in the wild function
- detection/analysis evasion techniques
- geographical trends in profit-taking malware

In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year. In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats.